[Openswan Users] Using Openswan 2.4.0 with a Watchguard Firebox
II
Paul Overton
paul at trusted-management.com
Tue Jan 17 23:23:14 CET 2006
Jason,
Have you had a luck with getting Openswan to work with Watchguard Firebox
II yet?
I did this approx 2 years ago!! and so far as I am aware the formula should
still work.
Which version of Firebox software are you using ? You will need at least
version 5.
I have never used Aggressive mode, but have chosen to use PSK with LAN to
LAN networks.
--
Paul Overton
_____
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Jason Green
Sent: 16 January 2006 22:55
To: users at openswan.org
Subject: [Openswan Users] Using Openswan 2.4.0 with a Watchguard Firebox II
I'm running Openswan U2.4.0/K2.6.12-10-amd64-generic on Ubuntu Breezy and
trying to connect to a Watchguard Firebox II with no success. I have full
access to the router and can make whatever changes are necessary. The old
Interoperating wiki for Watchguard seems quite out of date, since many of
the options on the original mailing post are no longer valid. One caveat...
I'm running this on my Linux box which is behind my Zyxel Firewall. The
Zywall has an option to forward IPSEC requests for VPNs. This works fine
using the Watchguard Windows client MUVPN, but I'm trying to avoid running
Windows.
Here's the error lists that I get on my Watchguard System Manager:
>From <my remote ip> AG-HDR ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID
Proposal is unacceptable: mess_id=0
Sending NO_PROPOSAL_CHOSEN message
Error processing (sa)
Agresssive Mode processing failed
Header invalid (unable to verify, msg = ISA_SA)
following by "Skipping duplicate packet from <my remote ip>"
And, here is the error I get from running "ipsec auto --up my_connection":
003 "my_connection" #1: multiple transforms were set in aggressive mode.
Only first one used.
003 "my_connection" #1: transform (5,2,2,0) ignored.
003 "my_connection" #1: multiple transforms were set in aggressive mode.
Only first one used.
003 "my_connection" #1: transform (5,2,2,0) ignored.
112 "my_connection" #1: STATE_AGGR_I1: initiate
010 "my_connection" #1: STATE_AGGR_I1: retransmission; will wait 20s for
response
Here's my ipsec.conf file:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
# Add connections here
conn my_connection
type=tunnel
keyingtries=0
authby=secret
left= <http://192.168.1.34> MailScanner has detected a possible
fraud attempt from "192.168.1.34" claiming to be MailScanner has detected a
possible fraud attempt from "192.168.1.34" claiming to be MailScanner
warning: numerical links are often malicious: 192.168.1.34
(that is my IP behind my firewall)
leftnexthop=%defaultroute
leftid=jave27 at gmail.com
right=<my_server_ip>
rightsubnet= <http://192.168.0.0/24> MailScanner has detected a
possible fraud attempt from "192.168.0.0" claiming to be MailScanner has
detected a possible fraud attempt from "192.168.0.0" claiming to be
MailScanner warning: numerical links are often malicious: 192.168.0.0/24
rightid=@gmail.com
aggrmode=yes
auto=add
ike=3des-sha1
pfs=yes
I've tried all sorts of combinations, adding other options, getting rid of
almost all of them, but nothing seems to work. Any tips or pointers to the
right direction would be spectacular. Thanks in advance!
--
This message has been scanned for viruses and
dangerous content by <http://www.mailscanner.info/> MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers <http://www.transtec.co.uk/> for
their support.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060117/6c09c847/attachment-0001.htm
More information about the Users
mailing list